A Russian hacker who created and used Neverquest banking malware to steal money from victims’ bank accounts has finally been sentenced to 4 years in prison by the United States District Court for the Southern District of New York.

Stanislav Vitaliyevich Lisov, 34, was arrested by Spanish authorities at Barcelona–El Prat Airport in January 2017 on the request of the FBI and extradited to the United States in 2018.

Earlier this year, Lisov pleaded guilty to one count of conspiracy to commit computer hacking, involving attempts to steal at least $4.4 million from hundreds of victims using the NeverQuest banking trojan.

Just like any other sophisticated banking Trojan, NeverQuest, aka Vawtrak or Snifula, has also been designed to let attackers remotely control infected computers and steal a wide range of sensitive information.

Besides stealing login information for banking or other financial accounts using a keylogger or web form injection techniques, the malware was also capable of stealing passwords stored in FTP clients, private keys, or stored within remote-desktop settings.

NeverQuest became so popular among financially motivated hackers and scammers that the banking trojan was ranked the number two global financial malware in 2015 and the number one in 2016.

NeverQuest Caused An Estimated Damage of $4.4 Million

According to a press release published by the U.S. Department of Justice, Lisov and his co-conspirators distributed NeverQuest banking trojan worldwide between June 2012 and January 2015 through social media, phishing emails, and file transfer services; and used exploit kits or drive-by downloads as initial infection vectors.

The duo then used the stolen login information to steal money from victims’ bank accounts using various means, including wire transfers, ATM withdrawals, and online purchases of expensive items.

“In total, Lisov and his co-conspirators attempted to steal at least approximately $4.4 million using NeverQuest, and in fact, stole at least approximately $855,000 from their victims’ online financial accounts,” the court document says.

Besides creating and deploying NeverQuest for his own personal enrichment, Lisov was also responsible for maintaining and renting out botnet servers that contained a list of nearly 1.7 million stolen login credentials—including usernames, passwords, and security questions and answers.

The conspiracy to commit computer hacking charge carries a maximum sentence of five years in prison under the terms of a plea deal Lisov struck with the Justice Department in February this year when he pleaded guilty.Today, the United States Attorney Geoffrey S. Berman sentenced Lisov to 48 months in prison.

In addition to his prison term, Lisov has also been sentenced to 3 years of supervised release and ordered to pay a forfeiture of $50,000 and restitution of $481,388.04.